itlawwikiaorg-20200214-history
Phishing
Definitions Phishing refers to a social engineering attack, where someone misrepresents their identity or authority in order to induce another person to provide personally identifiable information (PII) over the Internet. Internet scammers use e-mail bait to “phish” for passwords and personal financial data from the "sea" of Internet users. Phishing History Phishing is a term that was coined in 1996 by U.S. hackers who were stealing America Online (“AOL”) accounts by scamming passwords from AOL users. The use of “ph” in the terminology traces back in the 1970s to early hackers who were involved in “phreaking,” or the hacking of telephone systems. Typical phishing scams Some common phishing scams involve e-mails that purport to be from a financial institution, Internet service provider (ISP), or other trusted company claiming that a person’s records have been lost or their account compromised. The e-mail directs the person to a website that mimics the legitimate business' website and asks the person to enter a credit card number and other PII so the records or account can be restored. In fact, the e-mail or website is controlled by a third party who is attempting to extract information that will be used in identity theft or other crimes. In a variant of this practice, victims receive e-mails warning them that to avoid losing something of value (e.g., Internet service or access to a bank account) or to get something of value, they must click on a link in the body of the e-mail to "reenter" or "validate" their personal data. Such phishing schemes often mimic financial institutions' websites and e-mails, and a number of them have even mimicked federal government agencies to add credibility to their demands for information. The key point about phishing is that it works by means of social engineering — victims are persuaded to go to a fraudulent website, on which they themselves enter their personal information. No malware needs to be involved, and standard technical measures such as anti-virus software are of no use. Although phishing emails were originally written in poor English and were relatively easy to detect, they have grown in sophistication, and millions of individuals have been misled. The number of phishing emails is enormous: in the second half of 2006 900-1,000 unique phishing messages, generating almost 8 million emails, were blocked by Symantec software alone on a typical working daySymantec Internet Security Threat Report, July-December 2006 (full-text). — though according to MessageLabs, phishing still represents just 0.36 percent of total emails.MessageLabs 2006 Annual Security Report (full-text). Phishing attacks can also involve the use of technical subterfuge schemes that plant malicious code, such as Trojan keylogger spyware, onto an individual's computer without the individual's awareness and steal personal information directly. Additional phishing scams include: * Using a "From" address that looks very close to one of the legitimate addresses the user is familiar with or from someone claiming to be an authority (IT administrator, manager, etc.). * Presenting to the recipient an alarm, a financial lure, or otherwise attractive situation, that either makes the recipient panic or tempts the recipient into taking an action or providing requested information. * Sending the email from an email using a legitimate account holder's software or credentials, typically using a bot that has taken control of the email client or malware that has stolen the user's credentials. Phishing attacks aid criminals in a wide range of illegal activities, including identity theft and fraud. They can also be used to install malware and attacker tools on a user's system. Common methods of installing malware in phishing attacks include phony banner advertising and pop-up windows on websites. Users who click on the fake ads or pop-up windows may unknowingly permit keystroke loggers to be installed on their systems. These tools can allow a phisher to record a user's personal data and passwords for any and all websites that the user visits, rather than just for a single website. Category:E-mail Category:Computer crime Category:Internet Category:Privacy Category:Fraud How it works A classic phishing attack using e-mail is as follows: :Step 1. The phisher sends the potential victim an e-mail that appears to be from the person’s bank or other organization that would have the victim's personal information on the user. The phisher carefully uses the colors, graphics, logos and wording of the existing company. :Step 2. The potential victim reads the e-mail and takes the bait by providing the phisher with personal information by either responding to the e-mail or [[clicking on a legitimate-looking link and providing the information via a form on a website that appears to be from the bank or organization in question. :Step 3. This fake website or e-mail sends the victim’s personal information directly to the phisher. Steps in a phishing attack All phishing attacks fit into the same general information flow. At each step in the flow, different countermeasures can be applied to stop phishing. The steps are: :0. The phisher prepares for the attack. Step 0 countermeasures include monitoring malicious activity to detect a phishing attack before it begins. :1. A malicious payload arrives through some propagation vector. Step 1 countermeasures involve preventing a phishing message or security exploit from arriving. :2. The user takes an action that makes him or her vulnerable to an information compromise. Step 2 countermeasures involve detecting phishing tactics and rendering phishing messages less deceptive. :3. The user is prompted for confidential information, either by a remote web site or locally by a Web Trojan. Step 3 countermeasures are focused on preventing phishing content from reaching the user. :4. The user compromises confidential information. Step 4 countermeasures concentrate on preventing information from being compromised. :5. The confidential information is transmitted from a phishing server to the phisher. Step 5 countermeasures involve tracking information transmittal. :6. The confidential information is used to impersonate the user. Step 6 countermeasures center on rendering the information useless to a phisher. :7. The phisher engages in fraud using the compromised information. Step 7 countermeasures focus on preventing the phisher from receiving money. Preventive steps The Federal Trade Commission (FTC) has posted a consumer alert outlining steps that users should take to protect themselves from phishing:Federal Trade Commission, How Not to Get Hooked by a Phishing Scam (Oct. 2006) (full-text). * Do not reply to email messages or popup ads asking for personal or financial information. * Do not trust telephone numbers in e-mails or popup ads. Voice over Internet Protocol technology can be used to register a telephone with any area code. * Use antivirus, anti-spyware, and firewall software. These can detect malware on a user’s machine that is participating in a phishing attack. * Do not email personal or financial information. * Review credit card and bank account statements regularly. * Be cautious about accessing untrusted Web sites because some Web browser vulnerabilities can be exploited simply by visiting such sites. Users should also be cautious about opening any attachment or downloading any file from untrusted emails or Web sites. * Forward phishing-related emails to spam@uce.gov and to the organization that is impersonated in the email. * Request a copy of your credit report yearly from each of the three credit reporting agencies: Equifax, TransUnion, and Experian. If an identity thief opens accounts in your name, they will likely show up on your credit report.Under the Fair and Accurate Credit Transactions Act of 2003, consumers can request a free credit report from each of the three consumer credit reporting agencies once every 12 months. Additional steps include: * Validating official communication by personalizing emails and providing unique identifying information that only the organization and user should know. However, confidential information should not be disclosed. * Using digital signatures on e-mail. However, digital signatures may not be validated automatically by the user’s email application. * Performing content validation within the Web application. Vulnerabilities in the organization’s Web applications may be used in a phishing attack. * Personalizing Web content, which can aid users in identifying a fraudulent Web site. * Using token-based or mutual authentication at the Web site to prevent phishers from reusing previous authentication information to impersonate the user. References Source * Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures, at 2. * "Typical phishing scams" section: NIST Special Publication 800-177, at 16. See also * Advisory on Registrar Impersonation Phishing Attacks * Avoiding Social Engineering and Phishing Attacks * Clone phishing * Man-in-the-middle attack * Nigerian 4-1-9 fraud * Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures * Pharming * Phisher * Report on Phishing * SMiShing * Spam Summit: The Next Generation of Threats and Solutions * Spear-phishing * State phishing laws * Vishing * Whaling External resources * Anti-Phishing Working Group * FTC, Consumer Alert on Phishing (June 2004). * Rachna Dhamija, J. D. Tygar & Marti Hearst, "Why Phishing Works" (Apr. 2006) (full-text). Category:E-mail Category:Computer crime Category:Internet Category:Privacy Category:Fraud